EdgeSync with Exchange Server 2010 problem
I've looked through the other posts, and while similar, none seem to be the same as that I'm seeing.
Configuration is TMG/Edge Transport on W2K8 R2 and Exchange on W2K8 R2. Mail traffic flowing fine.
Looking at the TMG log, I am seeing an LDAPS(EdgeSync) Initiate from the Exchange server to the edge server, followed by a Closed (abort because RST sent), followed by Denied. This happens every time a sync occurs or when I to a manual sync.
I have created new subscription information and re-created the edge subscription on the hub transport (deleted old & created new). The Test-EdgeSubscription yields:
[PS] C:\Windows\system32>Test-EdgeSynchronization
RunspaceId : 69ad3ff1-1c7b-4e32-bfaa-6956ad5e7b3e
SyncStatus : Normal
UtcNow : 7/7/2011 5:35:08 PM
Name : GUARDIAN
LeaseHolder : CN=ZAPHOD,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=n1vqw,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=sambelkee,DC=lcl
LeaseType : Option
FailureDetail :
LeaseExpiryUtc : 7/7/2011 6:04:49 PM
LastSynchronizedUtc : 7/7/2011 5:34:49 PM
TransportServerStatus : Skipped
TransportConfigStatus : Skipped
AcceptedDomainStatus : Skipped
RemoteDomainStatus : Skipped
SendConnectorStatus : Skipped
MessageClassificationStatus : Skipped
RecipientStatus : Skipped
CredentialRecords : Number of credentials 3
CookieRecords : Number of cookies 2
This shows an LDAPS(EdgeSync) Initiate in the TMG log.
So the real question is whether or not the sync is actually running. I suspect not, but nothing I have tried seems to change the fingerprint in the TMG log.
- Mark
July 7th, 2011 1:57pm
It's not working.
create an allow rule on TMG that allow traffic from HUB to TMG/EDGE on TCP 50636.
lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 2:09pm
I could believe that. I'm curious about the rule...
In the "System Policy Rules" created by TMG, rule 47 ("Allow LDAP/LDAPS traffic to the local host for the Exchange Server EdgeSync synchronization process") allows LDAP/LDAPS EdgeSync traffic from the internal network (where my HUB is located) to the localhost
(where the EDGE is located). Wouldn't this rule do what you suggest?
- Mark
July 7th, 2011 2:53pm
That is correct, this rule should do it.
Does your TMG/Edge have a single interface, then make sure that HUB servers is includedd in the from tab/traffic
Verify clock settings on TMG/Edge.
lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 4:19pm
TMG/Edge is dual homed. One NIC to the Internet and the other NIC to the internal network. No DMZ per se.
I jut checked, and the clocks are within one minute of each other.
- Mark
July 7th, 2011 4:23pm
Syncstatus show normal, and I suspect that it is working after all.
If you start Exchange Management Console on Edge, look at accepted domains, is it the same list as on an internal server? It looks like the edgesync is working correct.
If your org. is small number of mailboxes the edgesync runs very fast, within a second or two.
you can also add an accepted domain on HUB, run edgesync and see if its synces to edge correctly.
lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 4:43pm
Good test.
I just tried adding a new accepted domain on EDGE, did a manual sync, and the new domain showed up on EDGE. So it would appear synchronization is happening, although it isn't clear why the denials are showing up in the TMG log.
So it does appear to be working correctly; at lease as far as accepted domains go. :-)
- Mark
July 7th, 2011 4:53pm